Main Menu
HHS Issues Notice Requirements for Breaches of Unsecured Protected Health Information

On August 24, 2009, the U.S. Department of Health and Human Services (HHS) published interim final regulations regarding the notice of breach requirements introduced by the Health Information Technology for Economic and Clinical Health Act. 

Specifically, the regulations require covered entities to notify an individual and, in some cases, HHS and the media when there has been a “breach” of “unsecured” protected health information.  Business associates are required to notify the covered entity affected by the breach without unreasonable delay, but in no event more than 60 days after discovering the breach.  HHS indicated that a covered entity may transfer the notice obligation to the business associate, or require indemnification by the business associate, for such breaches pursuant to a contractual agreement between the parties.


The regulations define a “breach” as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security and privacy of the protected health information.”  A use or disclosure compromises the security or privacy of protected health information only if it creates “a significant risk” of financial, reputation, or other harm to the individual. 

Harm Threshold

To determine whether such significant risk exists (harm threshold), an entity must perform and document a risk assessment.  In performing the risk assessment, HHS suggests that the entity consider the following non-exclusive list of factors:

  1. who impermissibly used the information or to whom was the information impermissibly disclosed;
  2. the nature and amount of protected health information disclosed; and
  3. any steps taken that mitigate, eliminate or reduce the risk of harm to the individual.

The risk assessment must be documented, particularly if it results in a decision not to provide notice based on the entity’s determination that the breach does not pose a significant risk of harm to the individual.  The entity has the burden of proof to demonstrate that all notifications have been made as required by the regulations.

Unsecure Protected Health Information

Only breaches of “unsecure” protected health information must be reported.  Protected health information is “unsecure” if it is not secured through the use of technology or methodology that renders the information unusable, unreadable, or indecipherable to unauthorized individuals as specified by HHS in its guidance.  HHS guidance identifies encryption and destruction as the technologies and methodologies acceptable for rendering protected health information “secure.”  Therefore, covered entities and business associates can avoid the breach notification requirement by encrypting or destroying protected health information in accordance with the standards specified in HHS guidance.

Acceptable Encryption Technologies

According to HHS guidance, acceptable encryption depends upon the strength of the encryption algorithm and the security of the decryption key or process, which itself must not have been breached.  HHS indicated that encryption keys must be kept on a separate device from encrypted or decrypted information.  In addition, HHS specifically rejected the use of firewalls or access controls as an alternative to encryption.  HHS noted that if firewalls or access controls are compromised, the underlying protected health information may still be usable, readable, or decipherable to unauthorized individuals. 

Acceptable Destruction Methodologies

Acceptable methods for destroying protected health information include: (i) paper, film, or other hard copy media shredded or destroyed in order that protected health information cannot be read or reconstructed; and (ii) electronic media cleared, purged or destroyed consistent with the standards of the National Institute of Standards and Technology (NIST).  HHS specifically excluded redaction as a means of destruction of protected health information, unless the information is properly redacted so as to be fully de-identified. 


The following situations do not trigger the notice requirements:

  1. De-identified Health Information.  Since de-identified health information is not considered protected health information, it does not trigger the breach notification requirements.  Health information is considered de-identified only if: (i) the information does not identify an individual; (ii) there is no reasonable basis to believe the information can be used to identify an individual; and (iii) the entity complies with the Privacy Rule requirements for de-identifying protected health information.
  2. Limited Data SetA breach does not occur if the protected health information is part of a “limited data set”, and does not include ZIP codes or dates of birth.  A limited data set is a collection of protected health information that excludes some but not all identifying information (e.g., names, addresses), and is used for research, public health or operational purposes.
  3. Unintentional Acquisition, Access, UseNotice is not required if there is an unintentional acquisition, access or use of protected health information by a workforce member acting in good faith and within the scope of his or her authority, and the protected health information is not further used or disclosed in a manner that violates the Privacy Rule.  For example, “unintentional access” occurs if member of the workforce mistakenly receives an e-mail from another member of the workforce that contains protected health information. 
  4. Inadvertent Disclosures.  No reportable breach occurs if an inadvertent disclosure is made by an authorized person to another authorized person at the same covered entity, business associate or organized health care arrangement, and the protected health information is not further used or disclosed in a manner that violates the Privacy Rule.  For example, “inadvertent access” occurs when a physician inadvertently sends an e-mail containing protected health information to another physician working at the same hospital regarding the wrong patient.  Both physicians are authorized to access the protected health information. 
  5. Unable to RetainNotification is not required if there is a disclosure to an unauthorized person, and the entity has a good faith belief that the recipient would not reasonably have been able to retain the information.  For example, notice is not required if an authorized person hands the wrong medical record to a patient but immediately recovers the information from the patient.  In such a case, notice is not required because the patient did not retain the information. 

Covered entities must comply with the notice requirements beginning on September 23, 2009.  However, HHS announced that it will not impose sanctions for failure to make the required notice until February 22, 2010 (180 days after publication of the interim final regulations).  HHS indicated that it expects covered entities to use their best efforts to comply with the regulations and keep track of any breaches that occur during the grace period.

The regulations do not relieve covered entities or business associates from compliance with other applicable requirements, such as (i) the obligation to mitigate, to the extent practicable, any known harmful effect arising out of a breach of protected health information; or (ii) any other federal or state requirement that may apply following a breach of protected health information (e.g., state breach notification requirements).

If you have any questions regarding health care law, please contact any member of Greenebaum’s Health, Health Insurance & Life Sciences Team

Even though the content of the above Greenebaum Doll & McDonald e-bulletin is primarily informative, state and federal law obligates us to inform you that this is an advertisement. You have received this advisory because you are a client or friend of the firm.

About Greenebaum Doll & McDonald PLLC
Greenebaum Doll & McDonald PLLC is a widely-respected business law firm with approximately 200 legal professionals in six offices, serving local, national and international clients in virtually every industry. A forward-thinking business law firm, Greenebaum is committed to the practice of Breakthrough Law®.

Copyright 2009 Greenebaum Doll & McDonald PLLC.  All Rights Reserved.



Recent Posts




Back to Page